License Conclusions

Determine a single dominant license per dependency by combining declared and discovered license data.

4 min readUpdated Jul 9, 2026

Overview

License Conclusion determines a single, dominant license for each dependency by combining FOSSA's Declared License data (from package manifests) with Discovered License data (from source code scans). The result is a single authoritative license that drives policy evaluation and attribution.

This mirrors the PackageLicenseConcluded field in the SPDX specification.

Dependency drawer Licenses tab showing a concluded Apache-2.0 license alongside declared and discovered license data

Enabling License Conclusion

License Conclusion is disabled by default. Enable it at the organization level before it appears in projects.

  1. 1

    Open org settings

    Navigate to Settings → Organization → General.

  2. 2

    Enable the feature

    Scroll to the Features section and toggle License Conclusion to on.

    The description reads: "Enables the ability to conclude licenses and adds related license policy settings. This global setting will only take effect on individual projects upon their next analysis."

    Organization general settings showing the License Conclusion toggle in the Features section

Note

Concluded License data is generated during dependency analysis. After enabling, run a new CLI scan or trigger a Quick Import refresh for data to populate.

How FOSSA concludes multiple licenses

In some cases FOSSA will automatically conclude multiple licenses for one dependency:

Explicit AND: when FOSSA's internal data and external verification confirm a package is governed by multiple licenses simultaneously, they are joined with AND (e.g., MIT AND Apache-2.0).

Permissive AND: if a package normally concludes to a permissive license (e.g., MIT) but a non-permissive license (e.g., GPL-3.0) is also detected, FOSSA ANDs them together to ensure the stricter obligations aren't overlooked.

To see the data sources behind a conclusion, open the dependency drawer, select the Licenses tab, and review the Concluded License section.

Policy settings

Each licensing policy has a Settings tab where you can configure how the policy interacts with concluded licenses. All settings are disabled by default.

SettingWhat it does
Only create issues for Concluded LicensesReduces noise by only generating issues based on the concluded license. Issues from Declared or Discovered licenses are suppressed.
Intelligent Auto-IgnoreIssues are generated for all license types, but issues from non-concluded licenses are automatically marked Ignored. Keeps the data record while removing noise from the active issue list.
Create issues when a license can't be concludedCreates a unique Unconcluded issue when FOSSA cannot automatically determine a dominant license, prompting manual review. Takes effect on individual projects upon their next analysis only.
Create issues when a dependency auto-concludes to multiple licensesCreates a unique Multi-License Concluded issue when FOSSA's base conclusion results in multiple licenses (e.g., MIT AND GPL-3.0).

Note

Only create issues for Concluded Licenses and Intelligent Auto-Ignore are mutually exclusive. Enabling the first automatically disables the second.

Including concluded licenses in reports

Attribution reports

  1. 1

    Open Reports

    Navigate to Reports for the project.

  2. 2

    Check Concluded License(s)

    Under Dependency Metadata in the right sidebar, check Concluded License(s).

SBOM exports

FOSSA maps the Concluded License to the following SBOM standard fields:

StandardField
SPDXPackageLicenseConcluded
CycloneDXacknowledgement

Note

The CycloneDX acknowledgement field mapping has not been verified from source code; confirm against your export if this field is critical.

Manually overriding a concluded license

FOSSA's automated conclusion can be overridden per dependency from the dependency drawer.

ActionWhat it does
ConcludeManually conclude a specific license for this dependency, overriding the automated result
UnconcludeRemove the current conclusion and return to the automated result
Add a LicenseAdd a new license to the dependency, which can then be concluded
Add a license groupAdd a new group of licenses to the dependency

Manual edits take precedence over FOSSA's automated logic for the specific dependency.

What's next

  • License Corrections: Manually add or remove licenses when automatic detection doesn't capture the right data.
  • Licensing Policies: Configure how concluded licenses are evaluated against your policy rules.
  • Licensing Reports: Generate reports that include concluded license data in your attribution output.
© 2026 FOSSA, Inc.support@fossa.com